vulners.com provides curated CESA vulnerabilities for CentOS and APIs for querying vulnerabilities. This tool provides rest APIs to query through package name and version specifically, and also allows client to search based on a bulk load of CentOS package informations to avoid multiple API calls.
-
GET /cve-data?refresh=[true|false] Get upstream data information, or refresh from upstream data(vulners.com archive)
-
GET /cve-list?name=xxx&version=xxx Search for vulnerabilities for a specific package and version. Example API call
[ dwang@C30 …/work/vulners-service master 7.10.1 10:56:42
[ curl -X GET "http://localhost:9000/cve-list?name=kexec-tools&version=1.0.0" |jq '.'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2981 0 2981 0 0 177k 0 --:--:-- --:--:-- --:--:-- 181k
[
{
"lastSeen": "2017-10-03T18:24:29",
"references": [
"https://rhn.redhat.com/errata/RHSA-2015-0986.html"
],
"description": "**CentOS Errata and Security Advisory** CESA-2015:0986\n\n\nThe kexec-tools packages contain the /sbin/kexec binary and utilities that\ntogether form the user-space component of the kernel's kexec feature.\nThe /sbin/kexec binary facilitates a new kernel to boot using the kernel's\nkexec feature either on a normal or a panic reboot. The kexec fastboot\nmechanism allows booting a Linux kernel from the context of an already\nrunning kernel.\n\nIt was found that the module-setup.sh script provided by kexec-tools\ncreated temporary files in an insecure way. A malicious, local user could\nuse this flaw to conduct a symbolic link attack, allowing them to overwrite\nthe contents of arbitrary files. (CVE-2015-0267)\n\nThis issue was discovered by Harald Hoyer of Red Hat.\n\nThis update also fixes the following bug:\n\n* On Red Hat Enterprise Linux Atomic Host systems, the kdump tool\npreviously saved kernel crash dumps in the /sysroot/crash file instead of\nthe /var/crash file. The parsing error that caused this problem has been\nfixed, and the kernel crash dumps are now correctly saved in /var/crash.\n(BZ#1206464)\n\nIn addition, this update adds the following enhancement:\n\n* The makedumpfile command now supports the new sadump format that can\nrepresent more than 16 TB of physical memory space. This allows users of\nmakedumpfile to read dump files over 16 TB, generated by sadump on certain\nupcoming server models. (BZ#1208753)\n\nAll kexec-tools users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues and add this\nenhancement.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-May/021131.html\n\n**Affected packages:**\nkexec-tools\nkexec-tools-anaconda-addon\nkexec-tools-eppic\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0986.html",
"id": "CESA-2015:0986",
"href": "http://lists.centos.org/pipermail/centos-announce/2015-May/021131.html",
"modified": "2015-05-13T01:01:15",
"cvssScore": 3.6,
"cvssVector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/",
"cveList": [
"CVE-2015-0267"
],
"published": "2015-05-13T01:01:15",
"cvvsVector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"
},
{
"lastSeen": "2017-10-03T18:26:18",
"references": [
"https://access.redhat.com/errata/RHBA-2014:0943"
],
"description": "**CentOS Errata and Security Advisory** CESA-2014:0943\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-July/020448.html\n\n**Affected packages:**\nkexec-tools\nkexec-tools-eppic\n\n**Upstream details at:**\n",
"id": "CESA-2014:0943",
"href": "http://lists.centos.org/pipermail/centos-announce/2014-July/020448.html",
"modified": "2014-07-25T16:26:34",
"cvssScore": 0,
"cvssVector": "NONE",
"cveList": [],
"published": "2014-07-25T16:26:34",
"cvvsVector": "NONE"
}
]
- POST /cve-list Search for vulnerabilities for a list of package and versions.
Example request data
[
{
"name": "kexec-tools",
"version": "1.0.0"
}
]
The APIs are also documented with swagger.
It also includes an simple web interface to query with package name and version.
The application uses an embedded h2 database, which can be memory based or on disk file based, check Spring properties file for detail.